diff options
| author | Michael Brown <mcb30@ipxe.org> | 2023-05-23 14:55:08 +0100 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2023-05-23 15:27:20 +0100 |
| commit | 5b4318143648272b36736c1d1d5d1acbda9a5876 (patch) | |
| tree | 5dfe1ca8d04a858620bae4c91a4a9d23aca0538f /src/include/ipxe/efi | |
| parent | d2e1601cf4c8a0df21c08b9c8acf22e9cb631c5c (diff) | |
| download | ipxe-5b4318143648272b36736c1d1d5d1acbda9a5876.zip ipxe-5b4318143648272b36736c1d1d5d1acbda9a5876.tar.gz ipxe-5b4318143648272b36736c1d1d5d1acbda9a5876.tar.bz2 | |
[efi] Support versions of shim that perform SBAT verification
The UEFI shim implements a fairly nicely designed revocation mechanism
designed around the concept of security generations. Unfortunately
nobody in the shim community has thus far added the relevant metadata
to the Linux kernel, with the result that current versions of shim are
incapable of booting current versions of the Linux kernel.
Experience shows that there is unfortunately no point in trying to get
a fix for this upstreamed into shim. We therefore default to working
around this undesirable behaviour by patching data read from the
"SbatLevel" variable used to hold SBAT configuration.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/include/ipxe/efi')
| -rw-r--r-- | src/include/ipxe/efi/efi_shim.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/include/ipxe/efi/efi_shim.h b/src/include/ipxe/efi/efi_shim.h index ad8d24d..21f2431 100644 --- a/src/include/ipxe/efi/efi_shim.h +++ b/src/include/ipxe/efi/efi_shim.h @@ -14,6 +14,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); extern int efi_shim_require_loader; extern int efi_shim_allow_pxe; +extern int efi_shim_allow_sbat; extern struct image_tag efi_shim __image_tag; extern int efi_shim_install ( struct image *shim, EFI_HANDLE handle, |